In the realm of networking, establishing secure communication between two sites using a Site-to-Site IPSec VPN is a common requirement. When dealing with Cisco devices, specifically an IOS router connecting to an ASA firewall, the configuration can differ depending on the ASA software version. Since ASA version 9.7, significant changes have been introduced, particularly concerning the handling of VPN traffic hairpinning.
This blog dives into the old way (pre-ASA 9.7) and the new way (post-ASA 9.7) to configure Site-to-Site IPSec VPN between an IOS router and an ASA firewall with hairpinning.
---
### **What is VPN Hairpinning?**
VPN hairpinning, also called VPN intra-interface, allows VPN traffic to ingress and egress the same ASA interface. This is especially useful in scenarios where a remote site connects to the ASA, and the traffic needs to be redirected to another VPN tunnel.
---
### **Pre-ASA 9.7 (Old Way)**
Before ASA 9.7, VPN configuration was more rigid, and additional manual steps were required to support features like hairpinning. Here’s how it was typically handled:
#### **1. Enable Intra-Interface Traffic**
To allow hairpinning, you needed to explicitly enable `same-security-traffic permit intra-interface`:
ciscoasa(config)# same-security-traffic permit intra-interface
#### **2. Define Crypto ACLs**
The crypto ACLs on both the IOS router and the ASA specified the traffic permitted to pass through the tunnel. On the ASA, these ACLs were used to match interesting traffic.
**ASA Configuration:**
access-list CRYPTO_ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
**IOS Router Configuration:**
ip access-list extended VPN_ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
#### **3. Configure NAT Exemption**
To prevent VPN traffic from being translated, manual NAT exemption was configured.
**ASA Configuration:**
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
#### **4. Configure Tunnel Groups and Group Policies**
The tunnel group and group policies were configured with pre-shared keys (PSK).
**ASA Configuration:**
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key mysecurekey
#### **5. Enable Hairpinning Rules**
Traffic flow required ACL rules permitting hairpinned traffic on the ASA:
access-list OUTSIDE_IN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
---
### **Post-ASA 9.7 (New Way)**
Starting with ASA 9.7, Cisco introduced simplified VPN configurations by replacing the old crypto map structure with the more flexible Virtual Tunnel Interface (VTI). VTIs streamline the configuration of IPSec tunnels and inherently support advanced features like hairpinning.
#### **1. VTI-Based Configuration**
In the new method, a Virtual Tunnel Interface (VTI) is used instead of manually defining crypto maps. This eliminates the need for ACL-based crypto maps.
**ASA Configuration:**
interface Tunnel1
nameif VPN_TUNNEL
ip address 192.168.10.1 255.255.255.0
tunnel source interface outside
tunnel destination 203.0.113.1
ipsec profile VPN_PROFILE
**IOS Router Configuration:**
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source 192.0.2.1
tunnel destination 198.51.100.1
tunnel protection ipsec profile VPN_PROFILE
#### **2. Simplified NAT Configuration**
With ASA 9.7 and VTIs, NAT exemption is automatically handled within the VTI framework. Manual NAT exemption rules are no longer required.
#### **3. Hairpinning with Route-Based VPN**
Traffic hairpinning is natively supported when using VTIs, as the ASA handles routing decisions dynamically.
**ASA Configuration:**
route inside 192.168.2.0 255.255.255.0 192.168.10.2
---
### **Key Advantages of the New Way**
- **Simplified Configuration**: VTIs reduce the complexity of defining crypto maps and ACLs.
- **Dynamic Routing Support**: VTIs work seamlessly with dynamic routing protocols like OSPF and BGP.
- **Enhanced Flexibility**: Features like hairpinning and NAT exemption are integrated into the VTI framework, reducing manual configurations.
- **Scalability**: The VTI approach is more scalable, making it ideal for large-scale deployments.
---
### **Conclusion**
The introduction of VTIs in ASA 9.7 marked a significant improvement in how Site-to-Site IPSec VPNs are configured and managed. By transitioning from the older crypto map method to the newer VTI-based approach, Cisco has simplified the process, making it more efficient and scalable while reducing configuration errors. For network engineers, embracing the new method ensures smoother deployments and easier management, especially in scenarios requiring advanced features like hairpinning.
If you're still using the old method, now is the time to upgrade and experience the benefits of VTIs!
No comments:
Post a Comment